Performing a z/os Vulnerability Assessment. Part 3 - Remediation. Presented by Vanguard Integrity Professionals

Transcription

1 Performing a z/os Vulnerability Assessment Part 3 - Remediation Presented by Vanguard Integrity Professionals

2 Legal Notice Copyright 2014 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited license to view these materials for your organization s internal purposes. Any unauthorized reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. Trademarks IBM, RACF, System z, and z/os are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Vanguard Administrator, Vanguard Analyzer, Vanguard Advisor, Vanguard Offline, Vanguard QuickGen, Vanguard zsecurity University, and Vanguard Security & Compliance are trademarks of Vanguard Integrity Professionals Nevada. 2

3 Agenda Introduction 1 This section re-introduces this vulnerability assessment webinar series and relationship between the three (3) episodes. Exposure Remediation 2 This section discusses the remedial activity required to reduce the security exposures identified in the environment Wrap Up 3 This section wraps up the webinar series. 3

4 Performing a z/os Vulnerability Assessment Remediation INTRODUCTION 4

5 Webinar Series Overview - Reminder Session 1 Session 2 Session 3 Data Collection Review this session anytime from the go2vanguard.com website Data Analysis Review this session anytime from the go2vanguard.com website Remediation April 10 th 8am Pacific / 11am Eastern April 16 th 11am Pacific / 2pm Eastern April 22 nd Noon Pacific / 3pm Eastern 5

6 Vulnerability Assessment Approach Data Collectection This is the data collection phase to be able to assess the environment. Data Analysis This is the data analysis phase where the data collected is analyzed for any potential vulnerabilities. Report This is the report phase where the consultant creates a findings reports and discusses the findings and recommendations with the customer. Remediation This is remediation phase where the Vanguard consultant explains the results of the data analysis and provides remediation advice Today s Webinar 6

7 Performing a z/os Vulnerability Assessment Remediation EXPOSURE REMEDIATION 7

8 Vulnerability Assessment Scope Scope: Vanguard Top 10 z/os Risks Identified in Customer Security Assessment Excessive Number of User IDs with No Password Interval Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Started Task IDs are not Defined as PROTECTED IDs Dataset Profiles with UACC Greater than READ Improper Use or Lack of UNIXPRIV Profiles Dataset Profiles with UACC of READ Excessive Access to the SMF Data Sets RACF Database is not Adequately Protected Excessive Access to APF Libraries Inappropriate Access to FACILITY BPX.DAEMON Profile Note: Data collected from hundreds of security assessments performed by Vanguard Integrity Professionals. 8

9 Vanguard Tools for Remediation Vanguard Administrator Simplify and Enhance Security Management Functions on systems running IBM Security Server (RACF) Vanguard Provides Identity & Access Management solutions and Governance, Risk & Compliance solutions for z/os and other enterprose platforms. Vanguard Analyzer Delivers expert-level Vulnerability Assessments and Audit results for System z in minutes Vanguard Advisor Offers the most comprehensive Event Detection, Analysis and Reporting package for the z/os environment Vanguard Offline Tests and analyzes how changes to the RACF database will impact users and processes before commands are executed in a production environment 9

10 #1 Remediation Excessive Number of User IDs with No Password Interval Risk - Severe Recommended Best Practice and Remediation User IDs with no password Interval are not required to change their passwords. Since passwords do not need to be changed periodically, people who knew a password for an ID could still access that ID even if they are no longer authorized users. Review each of the personal user profiles to determine why they require NOINTERVAL. Their passwords should adhere to the company policy regarding password changes. If the user ID is being used for started tasks or surrogate, it should be reviewed and changed to PROTECTED. If the user ID is being used for off platform process, then review controls for where the passwords are stored and consider converting to usage of digital certificates or other alternatives. 10

11 Vanguard Administrator Excessive Number of User IDs with No Password Interval Report Generation Vanguard Administrator : User Profile Summary (Fastpath 3;1;1) Mask: Protected: N PWD Interval: 0 Revoked: N 11

12 Remediate the Excessive Number of User IDs with No Password Interval Vanguard QuickGen Use QuickGen to Change Password Interval 12

13 Remediate the Excessive Number of User IDs with No Password Interval Vanguard QuickGen Use QuickGen to Make User IDs PROTECTED 13

14 #2 Remediation Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Risk - High Recommended Best Practice and Remediation User IDs with z/os UNIX superuser authority, UID(0), have full access to all UNIX directories and files and full authority to administer z/os UNIX. The assignment of UID(0) authority should be minimized by managing superuser privileges through profiles in the UNIXPRIV class. For those user IDs that do not require unrestricted superuser authority, but do require some privileged UNIX authority, UID(0) should be changed to a non-zero UID and access should be granted to one or more of the BPX.qualifier profiles in the FACILITY class and/or access to one or more profiles in the UNIXPRIV class. For user IDs associated with started tasks, other than those for which UID(0) is appropriate, product documentation should be reviewed to determine what specific UNIX authority is required, grant only that authority, and then replace UID(0) in their respective OMVS segments with a non-zero value. 14

15 FACILITY Class Profiles Resource Name BPX.CF BPX.CONSOLE BPX.DAEMON BPX.DAEMON.HFSCTL BPX.DEBUG BPX.FILEATTR.APF BPX.FILEATTR.PROGCTL BPX.FILEATTR.SHARELIB BPX.JOBNAME BPX.POE BPX.SERVER BPX.SHUTDOWN BPX.STOR.SWAP BPX.SUPERUSER BPX.UNLIMITED.OUTPUT BPX.WLMSERVER Authority Granted Controls the use of the Coupling Facility sizer tool (_cpl()) Controls access to authorized features of the _console() service Controls the change of MVS identities without knowing the target user ID s password Controls the loading of uncontrolled programs from MVS libraries into their address space Controls the use of ptrace (via dbx) to debug programs Controls the setting of the APF-authorized attribute in an HFS file Controls the setting of the program control attribute in an HFS file Controls setting the shared library extended attribute in an HFS file Controls which users are allowed to set their own job names Controls the use of Port-of-Entry for MLS security checks (_poe) Restricts the use of the pthread_security_np() service Controls special treatment at shutdown Controls which users can make address spaces nonswappable Allows users to switch to superuser authority Allows users to override the default spooled output limits for processes Controls access to the WLM server functions 15

16 Creating the Report Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Report Generation Vanguard Administrator : User OMVS Segment (Fastpath 3;5;9;1) Mask: UID: 0 16

17 Using EXCLUDE / REBUILD Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Using Exclude/Rebuild Exclude is used to select the fields you do NOT want in the Rebuild 17

18 Using EXCLUDE / REBUILD Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Using Exclude/Rebuild Exclude all fields except UID 18

19 Using EXCLUDE / REBUILD Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Using Exclude/Rebuild Rebuild all of the profiles 19

20 Remediate the Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Change the UIDs Use AUTOUID for the assignment of unique UIDs 20

21 #3 Remediation Started Task IDs are not Defined as PROTECTED IDs Risk - High Recommended Best Practice and Remediation User IDs associated with started tasks should be defined as PROTECTED which will exempt them from revocation due to inactivity or excessive invalid password attempts, as well as being used to sign on to an application. Review all started task user IDs that are not protected. Determine if the user IDs are used for any other function that might require a password. Define the started task user IDs as PROTECTED for those tasks that do not require a password. 21

22 Creating the Report Started Task IDs are not Defined as PROTECTED IDs Report Generation Vanguard Administrator : User Profile Summary (Fastpath 3;1;1) Mask: Protected: N Owner: STC Group Name 22

23 Remediate the Started Task IDs are not Defined as PROTECTED IDs Vanguard QuickGen Use QuickGen to Define the Started Tasks as PROTECTED 23

24 #4 Remediation Dataset Profiles with UACC Greater than READ Risk - Severe Recommended Best Practice and Remediation Data sets that are protected by a RACF profile with a UACC greater than READ allow most users with system access to read or modify these data sets. In addition, users may be able to delete any data set covered by the dataset profiles that have a UACC of ALTER. Review each of these profiles and determine whether the UACC is appropriate. For those profiles where the UACC is excessive, you will have to determine who really needs access before changing the UACC. To find out who is accessing these data sets, review SMF data to determine who is accessing the data sets with greater than READ access. You can then build PERMIT commands based on the review of the SMF data. 24

25 Creating the Report Dataset Profiles with UACC Greater than READ Report Generation Vanguard Administrator : Data Set Profile Summary (Fastpath 3;3;1) Mask: UACC: R GT 25

26 Create a Command File Dataset Profiles with UACC Greater than READ Vanguard QuickGen Use QuickGen to Create a Command File 26

27 Check Access Dataset Profiles with UACC Greater than READ Vanguard Offline Use Offline to Check Access 27

28 Specify Input File Dataset Profiles with UACC Greater than READ Vanguard Offline Use Offline to Check Access 28

29 Enter Input File and Submit Dataset Profiles with UACC Greater than READ Vanguard Offline Use Offline to Check Access 29

30 Run an Impact Analysis Report Dataset Profiles with UACC Greater than READ Vanguard Offline Use Offline to Check Access 30

31 Previously Granted Access Report Dataset Profiles with UACC Greater than READ Vanguard Offline Use Offline to Check Access 31

32 Review the Report for Previous Access Dataset Profiles with UACC Greater than READ Vanguard Offline Use Offline to Check Access 32

33 #5 Remediation Improper Use or Lack of UNIXPRIV Profiles Risk - High Recommended Best Practice and Remediation The UNIXPRIV class resource rules are designed to give a limited subset of the superuser UID (0) capability. When implemented properly, UNIXPRIV profiles can significantly reduce the unnecessary requests for assignment of UID (0) to user IDs. Review the users activity that are currently defined as SUPERUSERs to determine if more granular profiles may be defined in the UNIXPRIV class that will authorize their activity. Refine the access list and define more granular profiles based upon the superuser functions that the users with UID(0) need. 33

34 The UNIXPRIV Class Profiles Resource Name SUPERUSER.FILESYS (READ access) SUPERUSER.FILESYS (UPDATE access) SUPERUSER.FILESYS (CONTROL access) SUPERUSER.FILESYS.ACLOVERRIDE SUPERUSER.FILESYS.CHANGEPERMS SUPERUSER.FILESYS.CHOWN SUPERUSER.FILESYS.MOUNT SUPERUSER.FILESYS.QUIESCE SUPERUSER.FILESYS.PFSCTL SUPERUSER.FILESYS.USERMOUNT SUPERUSER.FILESYS.VREGISTER SUPERUSER.IPC.RMID SUPERUSER.PROCESS.GETPSENT SUPERUSER.PROCESS.KILL SUPERUSER.PROCESS.PTRACE SUPERUSER.SETPRIORITY Access Given Allows a user to read any HFS file and read or search any HFS directory. Allows a user to write to any existing HFS file. Allows a user to write to any HFS directory. Specifies that ACL entries override SUPERUSER.FILESYS Allows users to change permission bits for any file. Allows a user to change ownership of any file. Allows a user to issue mount and unmount requests. Allows user to issue quiesce and unquiesce commands for a file system Allows a user to call pfsctl(). Allows nonprivileged users to mount and unmount file systems with the nosetuid option. Allows a user to issue vregister() to register as a vfs file server. Allows a user to do ipcrm calls to clean up leftover IPC mechanisms. Allows user to see all processes. Allows user to send signals to any process. Allows user to use dbx to trace any process. Allows a user to increase his priority. 34

35 Creating the Report Improper Use or Lack of UNIXPRIV Profiles Report Generation Vanguard Administrator : General Resource Access List (Fastpath 3;4;4) Mask: Class: UNIXPRIV 35

36 #6 Remediation Dataset Profiles with UACC of READ Risk - High Recommended Best Practice and Remediation Data sets that are protected by a RACF profile with a UACC of READ will allow most users with system access to read or copy sensitive and critical data residing in these data sets. Review each of these profiles and determine whether the UACC is appropriate. For those profiles where the UACC is excessive, you will have to determine who really needs access before changing the UACC. To find out who is accessing these data sets, review SMF data to determine who is accessing the data sets with READ access. You can then build PERMIT commands based on the review of the SMF data. 36

37 Creating the Report Dataset Profiles with UACC of READ Report Generation Vanguard Administrator : Data Set Profile Summary (Fastpath 3;3;1) Mask: UACC: R EQ 37

38 Verify Previous Access Use Vanguard QuickGen to create command file Use command file as input to Vanguard Offline Run the Impact Report from Vanguard Offline Review the report for previous access granted 38

39 #7 Remediation Excessive Access to the SMF Data Sets Risk - High Recommended Best Practice and Remediation SMF data collection is the system activity journaling facility of the z/os system. With the proper parameter designations, it serves as the basis to ensure individual user accountability. The ability to READ SMF data enables someone to identify potential opportunities to breach your security. If UPDATE or higher access is granted, a risk of audit log corruption exists. Access control for the unloaded data is critical to ensure a valid chain of custody. Ensure that access authority to SMF collection files is limited to only systems programming staff and/or batch jobs that perform SMF dump processing and ensure that UPDATE and higher accesses are being logged. 39

40 Creating the Report Excessive Access to the SMF Data Sets Report Generation Vanguard Analyzer : SMF Environment Analysis option 3;H Enter DSN Command to display SMF Dataset Information Enter option R for profile information 40

41 Review the Report Excessive Access to the SMF Data Sets Review Report Ensure the access to the SMF data sets is limited to appropriate users 41

42 #8 Remediation RACF Database is not Adequately Protected Risk - Severe Recommended Best Practice and Remediation The RACF database contains extremely sensitive security information. No access to the RACF database is required for normal administration activities using either RACF commands or the RACF provided ISPF panels. A user who has read access to the RACF database could make a copy and then use a cracker program to find the passwords for user IDs and could obtain a list of user IDs and resources. Review the protection for the RACF database and remove any entries granting access higher than NONE, other than the senior RACF administrators and system staff running RACF database utilities. 42

43 Creating the Report RACF Database is not Adequately Protected Report Generation Vanguard Analyzer : Database Analysis option 3;3 Enter option R for profile information 43

44 Review the Report RACF Database is not Adequately Protected Review Report Verify that only senior RACF administrators and system staff running RACF database utilities have access to the RACF database 44

45 #9 Remediation Excessive Access to APF Libraries Risk - Severe Recommended Best Practice and Remediation UPDATE or higher access to an APF library can allow an individual to create an authorized program which can bypass security controls and execute privileged instructions. UPDATE or higher access should be limited to senior systems support staff. Review all accesses to APF libraries and remove or change inappropriate access entries. Ensure that UPDATE and higher accesses are being logged. 45

46 Creating the Report Excessive Access to APF Libraries Report Generation Vanguard Analyzer : Sensitive/Critical Data Sets Analysis Batch option 4;B Enter option R next to Authorized Program Facility (APF) Table Enter YES for RACF detail 46

47 Review the Report Excessive Access to APF Libraries Review Report Verify that UPDATE or higher access to the APF libraries is limited to senior systems support staff 47

48 #10 Remediation Inappropriate Access to FACILITY Class BPX.DAEMON Profile Risk - High Recommended Best Practice and Remediation Daemons are processes that perform services for other users. In order to do this, a daemon must be able to change its identity temporarily to the identity of the user it will perform work for. The RACF FACILITY class profile called BPX.DAEMON can be used to control the use of the daemon functions. Access to BPX.DAEMON must be restricted to the z/os UNIX kernel user ID, z/os UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons (e.g., web servers). Review the access list of the BPX.DAEMON profile to remove any access for users that are not actual z/os UNIX daemons. 48

49 Creating the Report Inappropriate Access to FACILITY Class BPX.DAEMON Profile Report Generation Vanguard Administrator : General Resource Access List (Fastpath 3;4;4) Mask: Class: FACILITY Profile: BPX.DAEMON 49

50 Review the Report Inappropriate Access to FACILITY Class BPX.DAEMON Profile Review Report Verify that access to the profile is restricted to the z/os UNIX kernel user ID and z/os UNIX daemons 50

51 Performing a z/os Vulnerability Assessment Remediation WRAP-UP 51

52 Vulnerability Assessment - Wrap-up Vulnerability Assessments are a required part of your security program, including z/os Tools can help automate these assessments, but you still need knowledge and skills to interpret the data presented to you Vanguard can help you through our security assessment services for z/os 52

53 Vanguard zsecurity University To register for a webinar or training course: go2vanguard.com Place mouse on Training Customer Savings: Special Discounts for software customers and Vanguard Security & Compliance 2013 attendees Don t forget that all of the Vanguard zsecurity University courses are eligible for CPE Credits and all course materials are provided on a tablet computing device that the attendee keeps at the end of the class. 53

54 Assessment Data Sheet To learn more about Vanguard Assessment Services, download the Assessment Data Sheet 54

55

56 Questions 56